Reality check
"Companies can be fined up to €20 million ($24.1m), or up to four per cent of their previous year’s global annual revenues, depending on which is higher, if they have violated GDPR"
They seldom if ever are though, even if that's the initially specified penalty. Practically every major fine so far has been negotiated down to coffee money on appeal - if for no other reason that the resources of the offender are so vast that they could bankrupt the regulator by prolonging the legal process. So "compromise" is usually reached that effectively lets the perp off the hook.